Below are some core code snippets.

// process monitoring callback function
// disable the creation of specified processes
VOID ProcessNotifyExRoutine_call_back(
	PEPROCESS pEProcess, 
	HANDLE hProcessId, 
	PPS_CREATE_NOTIFY_INFO CreateInfo)
{
	if (NULL == CreateInfo)
	{
		return;
	}
	PCHAR pszImageFileName = PsGetProcessImageFileName(pEProcess);
	if (0 == _stricmp(pszImageFileName, "avpui.exe")) // target process name
	{
		CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;
	}
}

NTSTATUS ZwKillProcess(HANDLE pid)//Kill the process
{
	HANDLE hProcess = NULL;
	CLIENT_ID ClientId;
	OBJECT_ATTRIBUTES oa;
	NTSTATUS status;
	ClientId.UniqueProcess = pid;
	ClientId.UniqueThread = 0;
	oa.Length = sizeof(oa);
	oa.RootDirectory = 0;
	oa.ObjectName = 0;
	oa.Attributes = 0;
	oa.SecurityDescriptor = 0;
	oa.SecurityQualityOfService = 0;
	status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId);
	if (NT_SUCCESS(status))
	{
		ZwTerminateProcess(hProcess, 0);
		ZwClose(hProcess);
		return status;
	};
	return FALSE;
}

bin.zip

e.g.

32 minutes ago, boot said:

Below are some core code snippets.

// process monitoring callback function
// disable the creation of specified processes
VOID ProcessNotifyExRoutine_call_back(
	PEPROCESS pEProcess, 
	HANDLE hProcessId, 
	PPS_CREATE_NOTIFY_INFO CreateInfo)
{
	if (NULL == CreateInfo)
	{
		return;
	}
	PCHAR pszImageFileName = PsGetProcessImageFileName(pEProcess);
	if (0 == _stricmp(pszImageFileName, "avpui.exe")) // target process name
	{
		CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;
	}
}

NTSTATUS ZwKillProcess(HANDLE pid)//Kill the process
{
	HANDLE hProcess = NULL;
	CLIENT_ID ClientId;
	OBJECT_ATTRIBUTES oa;
	NTSTATUS status;
	ClientId.UniqueProcess = pid;
	ClientId.UniqueThread = 0;
	oa.Length = sizeof(oa);
	oa.RootDirectory = 0;
	oa.ObjectName = 0;
	oa.Attributes = 0;
	oa.SecurityDescriptor = 0;
	oa.SecurityQualityOfService = 0;
	status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId);
	if (NT_SUCCESS(status))
	{
		ZwTerminateProcess(hProcess, 0);
		ZwClose(hProcess);
		return status;
	};
	return FALSE;
}

bin.zip

e.g.

nice

9 hours ago, boot said:

Below are some core code snippets.

// process monitoring callback function// disable the creation of specified processesVOID ProcessNotifyExRoutine_call_back(
	PEPROCESS pEProcess, 
	HANDLE hProcessId, 
	PPS_CREATE_NOTIFY_INFO CreateInfo){
	if (NULL == CreateInfo)
	{
		return;
	}
	PCHAR pszImageFileName = PsGetProcessImageFileName(pEProcess);
	if (0 == _stricmp(pszImageFileName, "avpui.exe")) // target process name
	{
		CreateInfo->CreationStatus = STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY;
	}
}

NTSTATUS ZwKillProcess(HANDLE pid)//Kill the process{
	HANDLE hProcess = NULL;
	CLIENT_ID ClientId;
	OBJECT_ATTRIBUTES oa;
	NTSTATUS status;
	ClientId.UniqueProcess = pid;
	ClientId.UniqueThread = 0;
	oa.Length = sizeof(oa);
	oa.RootDirectory = 0;
	oa.ObjectName = 0;
	oa.Attributes = 0;
	oa.SecurityDescriptor = 0;
	oa.SecurityQualityOfService = 0;
	status = ZwOpenProcess(&hProcess, 1, &oa, &ClientId);
	if (NT_SUCCESS(status))
	{
		ZwTerminateProcess(hProcess, 0);
		ZwClose(hProcess);
		return status;
	};
	return FALSE;
}

bin.zip

e.g.

Hello @boot,

thank you for trying to help. So I have some questions. I watched your example video and wanna know these. Where is the Driver Monitor (can't find it on GH) tool to load the driver? Even in video you did start signed driver but in your package its only the unsigned driver & UI.exe. Also, why does the example app in your video not starts again after you did kill it? Do you have to unload your driver after again? Maybe you can post some more little details. What processes can your UI file terminate? I would like to test it too in VM so is there any system process I can kill with your app which I normally can't kill? Otherwise, do you have any similar example app I can run for testing which can't be terminated?

greetz